May 2012 | What's Happening in the Cloud?
Layering Security in the Cloud: Client-Side Encryption
Whether in meteorology or in business, mention of ‘clouds’ brings about certain notions of trepidation. Despite the fact that computer cloud tools are now likely as ubiquitous as clouds in the sky, many attorneys, in that broad class of business persons, do not use such products, or use them only reluctantly, when no reasonable alternatives exist. Of course, the ease of use and flexibility that the cloud offers have made other alternatives less and less viable, less sensible options, over time, to the point that cloud services have become almost a business necessity for most lawyers and law firms. The cloud does, of course, carry with it certain advantages, some portion of which has just been alluded to above. The ability to access uploaded content from anywhere you have internet access, from any number of supported devices, potentially in partnership with others users, with whom you can collaborate, in real-time, if you choose, all amounts to extremely powerful functionality. Hardware and general cost savings associated with the use of the cloud are also relevant to attorneys: reductions in system usage, when programs are no longer running on devices; reduction (or elimination) of server costs; and, pay-as-you go/subscription models (versus high, up-front, get-in costs) -- all represent real value to law firms. Most reputable cloud vendors also offer, and promote, the security of the online access that they provide, including the ubiquitous ‘government-level’ encryption, HTTPS:// secure access over the web and password protection, most commonly. Generally speaking, cloud vendors can provide a level of internet and document security that is well beyond what most solo and small firm attorneys could replicate (or afford) on their own. While most cloud security concerns are overblown, or stem from ignorance, there are legitimate security issues attached to commission of your electronic files to third party online vendors.
Some of the most popular cloud programs among attorneys are these document storage/sharing/collaboration tools, which create check-in/check-out pseudo-servers online, making your loaded files accessible from anywhere by yourself, and others to whom you allow access. Dropbox (www.dropbox.com) is probably the most popular product in this line among attorneys. Similar platforms SugarSync (www.sugarsync.com) and Evernote (www.evernote.com), to a lesser extent, are also used by lawyers and law firms. Attorneys love these tools because they’re free or cheap (you get a certain number of gigabytes of storage free, and from there you pay on a sliding scale, as your storage level increases -- as these companies are banking that it will) and fast and easy to use. However, for all the convenience offered by these online store/share programs, there are those nagging security concerns, including, chiefly, these three: the third party vendor has access to/can view your confidential documents; security breaches and loopholes have reared their ugly heads in the past (Dropbox accounts were recently left accessible by any password for a period of four consecutive hours), and will (probably always) continue to overhang your nerves like a thousand little Damoclean swords; and, most terms of service agreements indicate that cloud providers will release your data upon service of a warrant, and sometimes on broader provocation, or even inclination. Of course, there are some mitigating factors at play here, too: For one, third party vendors (online or off) have always had access to your documents, including your accountant (he sees your financial matter) and your cleaning service (which has keys to your office, and access to your files); the cloud vendors and their employees are probably more similar to accounting companies and their employees; but, the rubric remains the same: a third party, with a professional business purpose, has access to otherwise confidential information. For another, there are shades of exposure with respect to web files: there are security loopholes in systems (which could potentially lead to breaches); there are actual breaches (where data is exposed, but where no real damage occurs: the data is not used to a deleterious purpose -- though, I suppose, the damage is done where files are exposed/confidentiality is breached at all, outside the regular security parameters of the program used); and, there are detrimental actual breaches (where data is exposed, and actually used for a nefarious purpose). It’s almost axiomatic, by this point, that we have all either experienced a privacy/security breach already, or that we will experience one in the future. So, the question then centers whether the user has taken reasonable precautions to prevent data exposure/loss.
Our reliance on the cloud is fast becoming a form of dependence, like another chain link, leading back to fossil fuels. And, though the cloud may already be a business necessity, and even though vendors tout their (mostly legitimate) security safeguards, business professionals, especially lawyers, should endeavor to exercise some measure of control over their interactions in the space between their filing system and the now web’s. Just as you would monitor your accountant’s interactions with your finances, especially for trust accounting, and just as you would take precautions against your cleaning staff’s lifting important documents or files, you should exercise some reasonable measure of control over the information you post to the internet. And, there are cost-effective, easy-to-use tools for acquiring additional, personalized levels of cloud security within third party platforms.
The problem is and is not that third party cloud vendors provide platform security. It’s good that they do; it’s (potentially) bad that they hold the car keys. You may be able to set your password, to keep others out; but, when your cloud provider manages the platform, and encrypts the matter you upload, the provider can access any of that data, and can pass that data along to others, per the terms of service agreement you accepted when you decided to use the provider. He who encrypts (he who holds the encryption key), can decrypt. The way to take control back from your cloud providers, then, is to encrypt your data yourself before you upload it, so that you will again be the holder of the car keys (as it were) for your own documents. Even if your provider encrypts over your encryption, bypassing that layer will not grant the would-be hacker (should your provider’s security measures, including (potentially) encryption, fail), or your service provider, for that matter, access to the sought-after documents.
There are two species of client-side encryption available to lawyers who wish to tighten the security of the documents they upload to store/share sites, and who want to gain some measure of control back from their cloud vendors. D-I-Y (do it yourself) tools are those through which you apply encryption yourself; and, encryption manager tools are those services that will pre-encrypt, semi-automatically, for you. The simplest of the D-I-Y tools to get into are those in which you already operate. If you can add just one more checkdown to a process that you already leverage, you can reduce the amount of time that you spend to secure your documents prior to upload. Both Microsoft Word (www.office.microsoft.com/word) and Adobe Acrobat (www.adobe.com/products/acrobat) feature encryption and password protection. After you save your documents in either program, it’s another click, or a few (to apply certain settings), to encrypt those documents before uploading them to a cloud site. Perhaps the most compelling aspect of using Word or Acrobat is that you likely already own versions of these programs (or similar ones), and so will not be purchasing, or using, any new software to accomplish pre-encryption. There are also tools (the aforementioned encryption manager tools) that will allow you to encrypt files or containers (folders) for upload to cloud hosts. TrueCrypt (www.truecrypt.org) is a freeware program for accomplishing this purpose, while Symantec/PGP (Pretty Good Privacy) (www.symantec.com) is a paid option. TrueCrypt has been known to become complicated when pressed into service by the less tech-inclined -- such that, if your search is for a plug-and-play solution, a paid service like PGP may become more intuitive for you. Within this category are also on-the-fly encryption programs, which services will manage encryption on items placed in folders for upload to store/share cloud sites. Acting as a middling host, and transfer agent, these programs will handle encrypting and uploading for you, so long as you use the dedicated pass-through folder to your cloud host. Representative programs include BoxCryptor (www.boxcryptor.com), CloudFogger (www.cloudfogger.com) and SecretSync (www.getsecretsync.com); and, although these services most often advertise themselves as being companions to Dropbox, the technology will work with just about any cloud/upload host. On-the-fly encryption programs like these are priced out in the same way that the services they purport to protect you on are subscribed. The first couple, few or five gigabytes are free, with a monthly fee attached when you go beyond that capacity. SpiderOak (www.spideroak.com) may represent the best of both worlds, as a multi-featured Dropbox-style cloud storage and sharing program that offers client-side encryption options; however, for those techless attorneys, whose primary wish for their solutions is an ease of use, the combination of Dropbox and a pre-encryption tool may fit the bill more tidily than SpiderOak would.
Certainly, the foregoing is not an exhaustive list of client-side encryption tools; and, you may discover further in your own researches. You should, however, couch your knowledge, gained here and elsewhere, in terms of your obligations related to your jurisdiction’s ethics rules and guidance respecting engagement with cloud services, as well as the client confidentiality rules more generally. Additionally, certain state laws require specific behaviors in regard to cloud providers. Massachusetts, for example, mandates that business people, including attorneys, committing certain sensitive information sets to the cloud to vet and contract with the providers they use.
While others may hope that their clouds are traced by silver linings, you can choose to acquire an adamant harder than that.
Jared Correia is the Senior Law Practice Advisor at the Massachusetts Law Office Management Assistance Program. Prior to joining LOMAP, he was the Publications Attorney for the Massachusetts Bar Association. Before that, he worked as a private practice lawyer. Jared is a graduate of Suffolk University Law School and of Saint Anselm College, where he was a captain of the debate squad that finished as national runner-up in 2000.